Tuesday, 14 February 2012

As an
information security professional I am often asked about the Cloud, in
particular “Is the Cloud safe?” and “Should I use the Cloud?”

For me the
starting point should be:

“What data do
I want to put in to the Cloud and how important is that data to me in terms of
confidentiality, availability and integrity?”

The answers
to these questions, combined with an appreciation of the risks associated with
using the Cloud will then enable you to decide if using the Cloud is for you.
More importantly it will allow you to manage the risks involved. This approach
will enable your business to meet its objectives whilst managing the risk to an
acceptable level.

Cloud basics

What is the
Cloud? Well in short it is a great marketing gimmick. There is no one individual
such thing as the ‘Cloud’. The Cloud is a term used to describe multiple
service offerings such as Software as a Service (SaaS), Platform as a Service
(PaaS) as well as Infrastructure as a Service (IaaS). All these are
characterised by the use of on-demand provision, rapid ability to scale and are
based on payment solely for the amount of resource required at any given point.
Cloud provision often makes use of shared virtual services for the storage and
processing of data.

Organisations
can implement their own ‘Cloud’ or can partner with an external supplier to use
the external party’s infrastructure. The basic premise is that you only
provision the services required to meet your needs and that you can then grow
and shrink this as required, with the organisation only paying for the resource
consumed.

Key Risks

What are the
key risks presented by using the Cloud? For me the key risks and some of the
issues that an organisation should explore when looking at the Cloud break down
as follows:

What legal jurisdiction will my data
be held within?

As an
organisation you should be aware of how legal requirements to disclose data may
be affected by the geography of where the data is stored. If you are based in
the UK and use a US based Cloud provider, consider the impact on your
organisation if the US courts enforce disclosure of your sensitive data. Where
the Cloud is used to store or process sensitive personal data, there may be an
impact on your compliance with the required regulation (Data Protection Act,)
which you will need to fully understand and mitigate.

Will your Cloud provider place your
data in multiple geographies without your knowledge?

Different geographical locations mean
different legal jurisdictions, which will have an impact on your legal and
regulatory requirements within each of those regions. This may restrict the
type of data that can be stored or processed or limit how the data in question
can be transferred between locations. The ability to encrypt data will also be
impacted within certain locations due to export restrictions.

Who else may have access to my data?

Many Cloud services are based on the
use of shared services / Multi-Tenancy solutions. The benefit to the end user
is reduced costs, but this can also lead to security concerns. The data may be
at risk of attack from another user of the same Cloud service due to the
architecture in use. Consideration should be given to how the Cloud provider
has limited the possibility of data compromise.

Will my data be destroyed securely?

As discussed earlier, the idea of the
Cloud is that you can grow and shrink your resource requirement. When the data
on disks is no longer needed then it will need to be destroyed. You will need
to gain assurance that this has been destroyed in compliance with your
organisation’s standards, that the next user of that environment will not
accidentally gain access to your data and that you have met any regulatory
requirements.

What level of availability do I
require for my data?

The Cloud sells itself as always being there. The data is ‘in the Cloud’, so
you will always have access to it. However, the Cloud brings its own impact in
relation to your organisational Business Continuity Plans and Disaster Recovery
approach. Consideration should be given to scenarios where the Cloud provider
fails or your ability to connect to the Internet fails. This may render the
data unavailable.

What other unintended consequences
need to be considered?

The list
above is not exhaustive and there will be other issues specific to your
organisation that will need to be explored to enable you to make an informed
decision about using the Cloud. There will also be further unintended
consequences that the Cloud will introduce and as many of these as possible
should be identified to enable a robust risk managed approach to be undertaken.

An example of
one unintended consequence is that Cloud services are based on the concept of
paying for the service required and on the flexibility to grow and shrink the
required resource on demand.

Many providers have an automatic provisioning
system that enables you to manage the demand and will bill your organisation
automatically. Consideration should be given to the security of this approach,
focused on who can authorise the provisioning, how costs can be limited to an
acceptable level.

If there is a
flaw within the provisioning system then there is a risk that this can be
circumvented and result in malicious / fraudulent use. This could result in
large unexpected financial bills or legal action being taken against your
organisation for storing illegal data that was maliciously uploaded.

Bringing it all together

The Cloud offers a cost effective and flexible
approach to manage your data storage and processing requirements. However, the
Cloud is no different to the wider challenges of managing an organisation’s
data securely. With these unique opportunities, unique risks will arise. A
sound understanding of these risks will enable an organisation to assess if the
Cloud is right for them and if it sits within the overall organisational risk
appetite for data security. Risk areas identified can then be used to structure
any assessment of potential providers to ensure that they can meet your requirements
and that the contract will legally enforce this.

Wednesday, 1 February 2012

Are we in danger of brainwashing employees to be susceptible
to interacting with phishing sites or malicious sites by incorrectly using SSL
internally?

IT departments and security teams spend many hours trying to
educate internal users to try and ensure that they do not disclose sensitive
information, such as passwords and account details or to visit phishing sites.
But is this all undone by the poor use of SSL certificates? On the majority of
infrastructure engagements undertaken over the last decade one issue always
comes up – the use of SSL internally.

Many organisations will spend time and effort to implement a
robust approach to the use of SSL for external (customer) facing web
applications. They will deploy well configured certificates that hve not
expired, signed with a strong hashing algorithm from a known certificate
authority (ok, maybe we need to revisit that one!) and will have been
configured to only support strong cipher suites and protocols.

However, move within the organisational boundary and all of
these examples of good practice are forgotten and we will see the opposite
state, where the norm is to find:

SSL Anonymous Cipher Suites Supported

SSL Certificate Expiry

SSL Certificate Signed using Weak Hashing Algorithm

SSL Certificate signed with an unknown Certificate
Authority

SSL Medium Strength Cipher Suites Supported

SSL Version 2 (v2) Protocol Detection

SSL Weak Cipher Suites Supported

Why do organisations implement such a flawed approach to
internal use of SSL? Is it a lack of strategic direction, budget or maybe just
a lack of thought?

Poor SSL certificate use can lead to compromise of
sensitive data. The number of threat vectors that can be used against poorly
implemented SSL increase when the attacker is on the same network as the
service (man in the middle attacks etc.) It seems sensible that if SSL has been
implemented to protect the confidentiality of the service then internally this
would become as important if not more important than a service presented over
the Internet?

What about the impact of a mixed message on the end user?
Are we in danger of educating our employees that SSL warnings are ok to be
ignored? If this is the message they come away with, whose responsibility will
it be when this behaviour is then replicated at home and they click on the
following?

Followers

Blog Disclaimer

All data and information provided on this site is for informational purposes only. The opinions expressed by individual Bloggers and those providing comments are theirs alone, and do not reflect the opinions of 7 Elements Ltd. 7 Elements Ltd is not responsible for the accuracy of any of the information supplied by the Bloggers.